With all the hype about identity theft and other consumer-side digital crimes, it’s easy to overlook the fact that merchant fraud is still one of the most common and costly causes of financial loss for acquirers.
Merchant fraud can be very hard to detect – especially given the complexity of the digital payments ecosystem. Yet, the work put into detecting and preventing merchant based fraud is nothing compared to the costs involved in dealing with chargebacks, fees and fines. Merchant fraud exposes acquirers to the liability of facilitating criminal activity – placing them at risk of chargebacks, fines, brand or reputational damage, regulatory sanctions, and even legal action.
When tackling the challenges of merchant fraud, acquirers need to be aware of the many forms this fraud can take. Specifically, acquirers should be on the lookout for these three types of merchant fraud:
1. Bust Out Fraud
In this fraud scheme, a merchant applies for a merchant account without any intention of actually operating a legitimate business. These merchant accounts are then used to process fraudulent transactions or to acquire lines of credit before abandoning the account altogether.
The aim of this type of fraud is simple: process as many fraudulent transactions as possible within a short amount of time, and before being caught, simply abandon the account. In the online world, it is extremely easy to falsify identities and set up fake businesses. For example, in what is probably the biggest synthetic identity fraud scheme to date, criminals managed to create 7,000 fake identities and apply for and receive 25,000 separate credit cards. They also created fake companies that did little or no legitimate business or worked together with other stores to run their credit card transactions. In total, the perpetrators managed to steal $200 million from banks between 2003 and 2013.
Fraudsters will be very careful to not trigger any alerts during the onboarding process, and most traditional KYC programs fail to continuously monitor the status of existing accounts. Once the merchant is approved by an acquirer, fraudsters will immediately start processing fraudulent transactions and will continue doing so for as long as possible.
To convince the banks that they were real individuals that lived at a particular address, the criminals made up social security numbers and even created fake utility bills. The above demonstrates just how easy it is to falsify an identity or set up bogus online storefronts for the purpose of fraud and transaction laundering. A strong KYC program is essential in order to block these bad actors out of the ecosystem. To detect fraudulent merchants, acquirers must conduct enhanced due diligence during the merchant onboarding process and regularly monitor transaction activity.
Bust out merchant accounts are associated with high chargeback rates. Once chargebacks start to pile up, these merchants are usually rapidly shut down by the acquirer. However, at this point the damage is already done. When the merchant escapes, leaving an empty shell of a business behind, the acquirer is stuck with the bill.
Bust out merchant based fraud is a growing problem and despite efforts to fight this crime, the associated losses continue to increase. A lack of proper KYC processes that are geared towards digital identities is one reason why bust out merchant fraud continues to be a salient issue.
2. Identity Swap
Certain individuals, for example individuals on the AML/ATF watch lists, merchants from countries on which economic sanctions are imposed or those belonging to certain extremist groups are prohibited from opening merchant accounts with major acquirers. To circumvent these prohibitions, merchants often use a fake or stolen identity or set up a bogus online storefront in order to secure a merchant account.
In this case, the business itself may be legitimate, and chargebacks won’t necessarily be an issue. However, regulators expect acquirers to demonstrate due care and due diligence in preventing merchants from acquiring fraudulent accounts through identity theft. Failure to do so can result in steep fines and severe reputational damage.
3. Transaction Laundering (a.k.a. Factoring)
Although many industry initiatives focus on fraud and identity theft, the reality is that a significant percentage of financial losses are associated with transaction laundering.
An urgent and growing problem in the payments industry, transaction laundering occurs when an unknown business uses an approved merchant’s payment credentials to process payments for products and services that the acquirer is not aware of.
Proliferation of micro merchants and instant onboarding, as well as the explosion of different payment methods contribute to data overload and difficulty in monitoring merchant portfolios. According to our estimate, $352 Billion is being laundered this way every year in the US alone.
Criminal merchants can simply lie about the nature of their business if they want to sell high-risk goods or services, or they can adopt questionable business formats forbidden by the acquirer, such as multi-level marketing schemes.
We estimate that, on average, an acquirer will process transactions for an additional 6% of their "known merchant base" without their consent or knowledge. This is a troubling thought, as it means that a significant number of transactions passing through merchant accounts are unknown and illegitimate.
Changing Business Format
One way fraudulent merchants cheat KYC efforts and avoid acquirer scrutiny is by establishing a storefront website that falls into a “low-risk” merchant category. After passing the initial KYC checks and establishing their merchant account, these criminals simply change the content on the website and start selling whatever goods, via whatever business methodology they choose. Yet payment providers do not always conduct effective onboarding and continuous content monitoring. This means that they often fail to detect merchants for whom the MCC code does not correspond to actual merchant activity.
Mitigating Merchant Fraud - Tips for Acquirers
To avoid the risk of transaction laundering and other forms of merchant fraud, acquirers need to revise procedures and technology to become as agile and efficient as the fraudsters themselves. Specifically, acquirers should devote special attention to:
1. “Big Picture” Risk Management Processes
Fraud prevention programs prevalent today are mostly focused on transaction level monitoring. This is an important element of a risk management program, but in order to identify advanced fraud methods such as transaction laundering, acquirers need to go beyond the transaction level and pay a close attention to the surrounding ecosystem.
At the transaction level, a lot of context is lost - what you see is simply a merchant account interacting with credit cards. You are missing the people and real identities behind these transactions. Looking at a wider online ecosystem can help acquirers to identify a merchant’s online fingerprints such as personal information, connections between various merchant accounts and social information.
To get ahead of the fraudsters it is important to place each transaction in a wider context and look at everything that happens before the transaction even occurs. Hundreds or even thousands of relevant data points that can be abstracted to detect fraudulent activity are completely missing from transaction level monitoring solutions.
In today’s regulatory climate, comprehensive and integrated transaction laundering monitoring and prevention are a crucial part of overall anti-fraud risk management for acquirers.
2. Continuous Merchant Portfolio Monitoring
Reviewing merchants at onboarding isn’t sufficient to eliminate the risk of transaction laundering. As discussed above, merchants can easily change their line of business after they have been accepted to acquirer programs. Companies need to adopt technology that allows them to continuously confirm that each merchant is actually selling what they’re supposed to be selling. Merchants need to be monitored in-depth, at both the transaction level and ecosystem level, to spot and resolve problems quickly. To do this, anti-fraud technology needs to continuously analyze hundreds of data points – flagging suspicious transactions and lowering acquirer liability without raising monitoring overhead.
3. The Need for Big Data
A comprehensive risk management program requires a dedicated platform that can combine transaction level monitoring and ecosystem analysis. This involves dealing with extremely large data sets. Therefore advanced technologies such as machine learning and natural language processing are indispensable in identifying advanced merchant fraud with the help of Big Data.
The value of machine learning for mitigating risk in the financial world is nothing new. Yet today, while any organization can harness the power of machine learning to lower the risk of transaction laundering, many do not. How does this work? Machine learning continuously monitors hundreds of thousands of data points to detect suspicious activity throughout online assets associated with a particular merchant. By monitoring even micro-transactions at a granular level, this technology can identify anomalies and enable acquirers to identify and mitigate the risk of fraud.
The Bottom Line
To fight advanced merchant based fraud, you need advanced solutions. It is important to look at the full context of each transaction, analyze the surrounding ecosystem, continuously monitor merchants in your portfolio and analyze hundreds of thousands of data points. It's simply impossible to find hidden connections between merchants and real identities without taking advantage of Big Data.